File name:

174592806627ae1b1a96165d0b2baf1677c68cd26037d4646d3a7041d63fc7da8f832d7adf608.dat-decoded

Full analysis: https://app.any.run/tasks/8280c2a6-895f-409e-930f-ad3a337860a1
Verdict: Malicious activity
Threats:

Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links.

Malware Trends Tracker     >>>
Analysis date: April 29, 2025, 12:31:17
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
delphi
auto-sch
remcos
rat
remote
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 9 sections
MD5:

5D231B5B2CC7DC6D9DD3CC09A7C5684E

SHA1:

9E2B2FFC47DFBA8CE8277C59C32DCF5B0443A8D9

SHA256:

D90AC5CDD18EE64F62CCE7E5A17A787969C213252552BA1E27A547F196F06831

SSDEEP:

49152:n8gq5+bd/bMVcKqEVCLfpimRnxdKnwUSlaAuLw:TlbV4lVItRaw

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Uses Task Scheduler to run other applications

      • cmd.exe (PID: 2320)

    • REMCOS has been detected

      • qdapevrA.pif (PID: 5024)
      • qdapevrA.pif (PID: 5024)

    • REMCOS mutex has been found

      • qdapevrA.pif (PID: 5024)

    • REMCOS has been detected (SURICATA)

      • qdapevrA.pif (PID: 5024)

  • SUSPICIOUS

    • There is functionality for taking screenshot (YARA)

      • 174592806627ae1b1a96165d0b2baf1677c68cd26037d4646d3a7041d63fc7da8f832d7adf608.dat-decoded.exe (PID: 7400)

    • Reads security settings of Internet Explorer

      • 174592806627ae1b1a96165d0b2baf1677c68cd26037d4646d3a7041d63fc7da8f832d7adf608.dat-decoded.exe (PID: 7400)
      • qdapevrA.pif (PID: 5024)

    • Starts CMD.EXE for commands execution

      • 174592806627ae1b1a96165d0b2baf1677c68cd26037d4646d3a7041d63fc7da8f832d7adf608.dat-decoded.exe (PID: 7400)

    • Executing commands from ".cmd" file

      • 174592806627ae1b1a96165d0b2baf1677c68cd26037d4646d3a7041d63fc7da8f832d7adf608.dat-decoded.exe (PID: 7400)

    • Runs PING.EXE to delay simulation

      • cmd.exe (PID: 8024)

    • Likely accesses (executes) a file from the Public directory

      • esentutl.exe (PID: 8124)
      • alpha.pif (PID: 8156)
      • alpha.pif (PID: 8176)

    • Drops a file with a rarely used extension (PIF)

      • esentutl.exe (PID: 8124)
      • 174592806627ae1b1a96165d0b2baf1677c68cd26037d4646d3a7041d63fc7da8f832d7adf608.dat-decoded.exe (PID: 7400)

    • Executable content was dropped or overwritten

      • esentutl.exe (PID: 8124)
      • 174592806627ae1b1a96165d0b2baf1677c68cd26037d4646d3a7041d63fc7da8f832d7adf608.dat-decoded.exe (PID: 7400)

    • Starts itself from another location

      • cmd.exe (PID: 7984)

    • Created directory related to system

      • alpha.pif (PID: 8156)

    • Starts application with an unusual extension

      • cmd.exe (PID: 7984)
      • 174592806627ae1b1a96165d0b2baf1677c68cd26037d4646d3a7041d63fc7da8f832d7adf608.dat-decoded.exe (PID: 7400)

    • Starts a Microsoft application from unusual location

      • alpha.pif (PID: 8156)
      • alpha.pif (PID: 8176)

    • Connects to unusual port

      • qdapevrA.pif (PID: 5024)

    • Contacting a server suspected of hosting an CnC

      • qdapevrA.pif (PID: 5024)

  • INFO

    • Checks proxy server information

      • 174592806627ae1b1a96165d0b2baf1677c68cd26037d4646d3a7041d63fc7da8f832d7adf608.dat-decoded.exe (PID: 7400)
      • qdapevrA.pif (PID: 5024)

    • Compiled with Borland Delphi (YARA)

      • 174592806627ae1b1a96165d0b2baf1677c68cd26037d4646d3a7041d63fc7da8f832d7adf608.dat-decoded.exe (PID: 7400)

    • Reads the computer name

      • 174592806627ae1b1a96165d0b2baf1677c68cd26037d4646d3a7041d63fc7da8f832d7adf608.dat-decoded.exe (PID: 7400)
      • qdapevrA.pif (PID: 5024)

    • Reads the software policy settings

      • 174592806627ae1b1a96165d0b2baf1677c68cd26037d4646d3a7041d63fc7da8f832d7adf608.dat-decoded.exe (PID: 7400)
      • slui.exe (PID: 7480)

    • Checks supported languages

      • 174592806627ae1b1a96165d0b2baf1677c68cd26037d4646d3a7041d63fc7da8f832d7adf608.dat-decoded.exe (PID: 7400)
      • alpha.pif (PID: 8176)
      • qdapevrA.pif (PID: 5024)
      • alpha.pif (PID: 8156)

    • Creates files in the program directory

      • 174592806627ae1b1a96165d0b2baf1677c68cd26037d4646d3a7041d63fc7da8f832d7adf608.dat-decoded.exe (PID: 7400)
      • qdapevrA.pif (PID: 5024)

    • The sample compiled with english language support

      • esentutl.exe (PID: 8124)

    • Auto-launch of the file from Task Scheduler

      • cmd.exe (PID: 2320)

    • Creates files or folders in the user directory

      • qdapevrA.pif (PID: 5024)

    • Reads the machine GUID from the registry

      • qdapevrA.pif (PID: 5024)
      • 174592806627ae1b1a96165d0b2baf1677c68cd26037d4646d3a7041d63fc7da8f832d7adf608.dat-decoded.exe (PID: 7400)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable Delphi generic (37.4)
.scr | Windows screen saver (34.5)
.exe | Win32 Executable (generic) (11.9)
.exe | Win16/32 Executable Delphi generic (5.4)
.exe | Generic Win/DOS Executable (5.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1992:06:19 22:22:17+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 428544
InitializedDataSize: 574976
UninitializedDataSize: -
EntryPoint: 0x6980c
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
145
Monitored processes
17
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 174592806627ae1b1a96165d0b2baf1677c68cd26037d4646d3a7041d63fc7da8f832d7adf608.dat-decoded.exe sppextcomobj.exe no specs slui.exe svchost.exe cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs ping.exe no specs esentutl.exe alpha.pif no specs alpha.pif no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs #REMCOS qdapevra.pif slui.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2320C:\WINDOWS\system32\cmd.exe /c C:\\ProgramData\\199.cmdC:\Windows\SysWOW64\cmd.exe174592806627ae1b1a96165d0b2baf1677c68cd26037d4646d3a7041d63fc7da8f832d7adf608.dat-decoded.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
2384\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5024C:\\Users\\admin\\Links\\qdapevrA.pifC:\Users\admin\Links\qdapevrA.pif
174592806627ae1b1a96165d0b2baf1677c68cd26037d4646d3a7041d63fc7da8f832d7adf608.dat-decoded.exe
User:
admin
Company:
David Harris
Integrity Level:
MEDIUM
Description:
Pegasus Mail Mailbox Maintenance Utility
Version:
4.51
Modules
Images
c:\users\admin\links\qdapevra.pif
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
5392C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7152schtasks /create /sc minute /mo 20 /tn "Arvepadq" /tr C:\\ProgramData\\Arvepadq.url"C:\Windows\SysWOW64\schtasks.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
7400"C:\Users\admin\AppData\Local\Temp\174592806627ae1b1a96165d0b2baf1677c68cd26037d4646d3a7041d63fc7da8f832d7adf608.dat-decoded.exe" C:\Users\admin\AppData\Local\Temp\174592806627ae1b1a96165d0b2baf1677c68cd26037d4646d3a7041d63fc7da8f832d7adf608.dat-decoded.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\174592806627ae1b1a96165d0b2baf1677c68cd26037d4646d3a7041d63fc7da8f832d7adf608.dat-decoded.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
7448C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
7480"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exe
SppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7984C:\WINDOWS\system32\cmd.exe /c C:\\ProgramData\\3075.cmdC:\Windows\SysWOW64\cmd.exe174592806627ae1b1a96165d0b2baf1677c68cd26037d4646d3a7041d63fc7da8f832d7adf608.dat-decoded.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
1 856
Read events
1 851
Write events
5
Delete events
0

Modification events

(PID) Process:(5024) qdapevrA.pifKey:HKEY_CURRENT_USER\SOFTWARE\Rmc-R5QRIR
Operation:writeName:exepath
Value:
F1E61D1292F5402B0C9AE804AA718A89ADFD524E02781830E845CD115E3F7AD6B9BF7BA474A6E83B99A0C76FC80A891C059376F1857DDE5427B108A23D0A217705A67014
(PID) Process:(5024) qdapevrA.pifKey:HKEY_CURRENT_USER\SOFTWARE\Rmc-R5QRIR
Operation:writeName:licence
Value:
71190D310CA021E52652EE16E36CA3FF
(PID) Process:(5024) qdapevrA.pifKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(5024) qdapevrA.pifKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(5024) qdapevrA.pifKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
3
Suspicious files
4
Text files
4
Unknown types
0

Dropped files

PID
Process
Filename
Type
7400174592806627ae1b1a96165d0b2baf1677c68cd26037d4646d3a7041d63fc7da8f832d7adf608.dat-decoded.exeC:\ProgramData\40438.cmdtext
MD5:9A020804EBA1FFAC2928D7C795144BBF
SHA256:A86C6C7A2BF9E12C45275A5E7EBEBD5E6D2BA302FE0A12600B7C9FDF283D9E63
8124esentutl.exeC:\Users\Public\alpha.pifexecutable
MD5:D3348AC2130C7E754754A6E9CB053B09
SHA256:E9EF013238495BFFCE7459E059BFFE340A0F08B439EC94E7D4436F4E13714ECD
7400174592806627ae1b1a96165d0b2baf1677c68cd26037d4646d3a7041d63fc7da8f832d7adf608.dat-decoded.exeC:\Users\admin\Links\Arvepadqbinary
MD5:89F9CC61F24B0551FFC8C110317762CA
SHA256:9DD74C95B2FDBF60739D69E47000C4AA387C9AE2AEC76D83074D5362D58E572B
7400174592806627ae1b1a96165d0b2baf1677c68cd26037d4646d3a7041d63fc7da8f832d7adf608.dat-decoded.exeC:\ProgramData\Arvepadq.urlbinary
MD5:89080FD464CAF0277910DA614A6578F3
SHA256:01191DC18871E9225E7B315E6A9C504B30E187F7C404A4106FDE51E67CFCED2C
7400174592806627ae1b1a96165d0b2baf1677c68cd26037d4646d3a7041d63fc7da8f832d7adf608.dat-decoded.exeC:\ProgramData\neo.cmdtext
MD5:5BAF253744AD26F35BA17DB6B80763E9
SHA256:9CBB41E6C4F8565A6D121B770FCF3F15A6891C8DF8BFBA6D0414B3AD3298BDBA
7400174592806627ae1b1a96165d0b2baf1677c68cd26037d4646d3a7041d63fc7da8f832d7adf608.dat-decoded.exeC:\Users\admin\Links\Arvepadq.PIFexecutable
MD5:5D231B5B2CC7DC6D9DD3CC09A7C5684E
SHA256:D90AC5CDD18EE64F62CCE7E5A17A787969C213252552BA1E27A547F196F06831
5024qdapevrA.pifC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\json[1].jsonbinary
MD5:06CDF1884BB262383335DC4FE90C53B1
SHA256:1826985AD05C318C0D9ED3E02746EE8E2986103F1E8820F29EA9C173FB413C09
7400174592806627ae1b1a96165d0b2baf1677c68cd26037d4646d3a7041d63fc7da8f832d7adf608.dat-decoded.exeC:\ProgramData\3075.cmdtext
MD5:1DF650CCA01129127D30063634AB5C03
SHA256:EDD4094E7A82A6FF8BE65D6B075E9513BD15A6B74F8032B5C10CE18F7191FA60
7400174592806627ae1b1a96165d0b2baf1677c68cd26037d4646d3a7041d63fc7da8f832d7adf608.dat-decoded.exeC:\Users\admin\Links\qdapevrA.pifexecutable
MD5:3776012E2EF5A5CAE6935853E6CA79B2
SHA256:8E104CC58E62DE0EAB837AC09B01D30E85F79045CC1803FA2EF4EAFBDBD41E8D
7400174592806627ae1b1a96165d0b2baf1677c68cd26037d4646d3a7041d63fc7da8f832d7adf608.dat-decoded.exeC:\ProgramData\199.cmdtext
MD5:2E689D3B03BC948891640877694F8845
SHA256:5620ADE9D7ED2BC37A89A8061E88B6861BFDAD6E6D5A7431EDB52BBBEE0F738A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
25
DNS requests
18
Threats
8

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2104
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5212
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
5212
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
6544
svchost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5024
qdapevrA.pif
GET
200
178.237.33.50:80
http://geoplugin.net/json.gp
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5496
MoUsoCoreWorker.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5496
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2104
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
3216
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
20.190.159.2:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6544
svchost.exe
184.30.131.245:80
ocsp.digicert.com
AKAMAI-AS
US
whitelisted
2104
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.186.174
whitelisted
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
crl.microsoft.com
  • 23.48.23.143
  • 23.48.23.150
  • 23.48.23.169
  • 23.48.23.173
  • 23.48.23.145
  • 23.48.23.141
  • 23.48.23.177
  • 23.48.23.161
  • 23.48.23.176
whitelisted
www.microsoft.com
  • 184.30.21.171
  • 23.35.229.160
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
login.live.com
  • 20.190.159.2
  • 40.126.31.128
  • 20.190.159.131
  • 20.190.159.130
  • 20.190.159.4
  • 40.126.31.129
  • 40.126.31.131
  • 40.126.31.3
whitelisted
ocsp.digicert.com
  • 184.30.131.245
whitelisted
link.storjshare.io
  • 185.244.226.2
malicious
remcoslogs.duckdns.org
  • 107.175.32.184
unknown
geoplugin.net
  • 178.237.33.50
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Potentially Bad Traffic
ET FILE_SHARING File Sharing Service Domain in DNS Lookup (link .storjshare .io)
7400
174592806627ae1b1a96165d0b2baf1677c68cd26037d4646d3a7041d63fc7da8f832d7adf608.dat-decoded.exe
Potentially Bad Traffic
ET INFO Observed File Sharing Service Domain (link .storjshare .io in TLS SNI)
2196
svchost.exe
Misc activity
ET TA_ABUSED_SERVICES Commonly Actor Abused Online Service Domain (storjshare .io)
7400
174592806627ae1b1a96165d0b2baf1677c68cd26037d4646d3a7041d63fc7da8f832d7adf608.dat-decoded.exe
Misc activity
ET TA_ABUSED_SERVICES Observed Commonly Actor Abused Online Service Domain (storjshare .io in TLS SNI)
2196
svchost.exe
Misc activity
ET DYN_DNS DYNAMIC_DNS Query to *.duckdns. Domain
2196
svchost.exe
Potentially Bad Traffic
ET DYN_DNS DYNAMIC_DNS Query to a *.duckdns .org Domain
5024
qdapevrA.pif
A Network Trojan was detected
REMOTE [ANY.RUN] REMCOS TLS Connection JA3 Hash
5024
qdapevrA.pif
Malware Command and Control Activity Detected
ET JA3 Hash - Remcos 3.x/4.x TLS Connection
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
174592806627ae1b1a96165d0b2baf1677c68cd26037d4646d3a7041d63fc7da8f832d7adf608.dat-decoded